[Openswan Users] IPSEC Pluto + Allow Unencrypted packets
Paul Wouters
paul at xelerance.com
Thu Jul 30 14:40:23 EDT 2009
On Thu, 30 Jul 2009, shobhit shingla wrote:
> I am using openswan in my network processor.
> Problem is Network processor performs the decryption in fast path
> So If the packet is for local IP, decrypted packet is injected into Linux Stack.
> But I think ipsec is rejecting the decrypted packet in my kernel.
>
> this is my scenario
> Linux Machine Network Processor
> 193.168.10.1 192.168.1.1
> 193.168.10.0/24 ------61.246.5.100
> -------------------------------------------------------------------61.246.2.100--------192.168.1.0/24
>
> ipsec.conf on Network processor
> leftIP = 61.246.2.100
> leftSubnet = 192.168.1.0/24
> rightIP = 61.246.5.100
> rightSubnet = 193.168.10.0/24
> ike= 3des-sha1
> auto = add
> authby = secret
>
> Tunnel is created successfuly
>
> If i ping from say 193.168.10.2 to 192.168.1.2 ,all works fine
>
> But when i ping to 192.168.1.1 from any right subnet IP, ESP packet is decrypted in fast path,so Linux stack will receive
> decrypted packet. But somehow that packet is lost.
Is your ipsec server 192.168.1.1? If so, add leftsourceip=192.168.1.1
> Is IPSEC rejecting unencrypted packet?
It should not in this case as it came in encrypted according to you. I would
verify that you have the right sysctl settings:
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
Paul
More information about the Users
mailing list